This guide is for a Lab environment scenario where we have Exchange 2010 setup and we need a certificate to make OWA / Autodiscover work in Lab.
When we Install a RootCA (standalone) and generate a certificate for our use initially it works without issues until the certificate is imported in Exchange and get the error “The Certificate status could not be determined because the revocation check failed”
This happens coz of CRL Distribution Point URL, which are configured under the CA server properties / Extensions tab and Certificate Revocation settings.
This is the default settings for “Extensions” on Root CA server. (screenshots taken from a another Server)
This is the default settings for CRL on Root CA server. Right click “Revoked Certificates” Node and select properties.
Lets change these values to work for us.
1st Step, we will set the Configuration Naming Context which will be used in the CRL path.
Start Command Prompt (CMD) and run the following 1 line commad:
certutil –setreg CA\DSConfigDN CN=Configuration,DC=vhomelab,DC=com
Replace DC=vhomelab,DC=com to your domain name.
2nd step, we will change the settings under “Extensions” tab.
3rd Step, change settings under “Revoked Certificates” properties.
Now, restart the certificate service.
Again right click “Revoked Certificates” and select “Publish” from “Tasks”
This will publish the new CRL with the changes that we made.
Now, go to the Domain Controller and browse the Certificate server using browser (http://YourRootCA/certsrv) and download “CA Certificate” and CRL. (save it on C:\)
From CMD, execute 2 commands: Certutil –addstore –f Root RootCert.cer and Certutil –addstore –f Root RootCRL.crl
This will add Root Certificate and CRL to trusted Root Certificate on DC.
Now we will publish the Root Certificate and CRL to AD DS using commands as follows.
Certutil –dspublish –f RootCert.cer RootCA
Certutil –dspublish –f RootCRL.crl
Now, generate a certificate request from from Exchange Management Shell. (you can use GUI as well)
New-ExchangeCertificate -FriendlyName ‘Ex2010-Cert03’ -GenerateRequest -PrivateKeyExportable $true -KeySize ‘2048’ -SubjectName ‘C=BH,S=”State”,L=”City”,O=”vHomelab”,OU=”IT”,CN=mail.vhomelab.com’ -DomainName ‘cas-a.vhomelab.com’,’mail.vhomelab.com’,’vhomelab.com’,’autodiscover.vhomelab.com’ -Server ‘CAS-A’
Complete the certificate request in Exchange Management console.
If you check the certificate by double clicking it, and under details, see the CRL distribution points,
1st, the command that we ran for Configuration Naming Context, that was to get the CRL path configured properly as shown below.
Hope this has helped you in some ways.